Advanced Autoenrollment Options
Now let's look at some of the advanced autoenrollment options, such as the requirement for certificate manager approval, the selfRA feature, the concept of superseding certificate templates, and the meaning of the Do not automatically reenroll if a duplicate certificate exists in Active Directory certificate template property. These options are available only on Version 2 certificate templates.
Version 2 certificate templates have a property called CA certificate manager approval on the Issuance Requirements tab, as Figure 4 shows. If you set this property, CA manager approval is required before the CA will issue the certificate. Until the CA manager approves the request, it adds the request to the CA's pending request store. The autoenrollment process then periodically checks the CA for approved requests and automatically installs the certificates on the client machine. The CA manager can approve pending certificate requests from the pending request container in the CA snap-in.
SelfRA is a new Windows 2003 PKI feature that lets you set special enrollment requirements on Version 2 certificate templates. To sign a new certificate request, selfRA requires an existing (previously issued) certificate and its associated private key. SelfRA is also configured from the Issuance Requirements tab on the certificate template properties and works in conjunction with autoenrollment. However, autoenrollment can't deal with requests that require more than one signature to authorize the enrollment request. You can set the following selfRA-related properties:
- The number of signatures required to authorize the certificate request (for autoenrollment, the number of signatures is limited to one)—This property might be required when you issue certificates for applications with high security requirements; in that case, you might want to make certificate issuance dependent on the approval of various entities.
- The content of the application and issuance policy fields in the authorization certificate's X.509 extensions.
- The requirements for automatic reenrollment—Use the same criteria you used for the original enrollment (listed in the upper part of the Issuance Requirements tab) or check to determine whether a valid certificate of the type mentioned in the certificate template is present in the PKI user's certificate store.
Superseding certificate templates let CA administrators automatically reenroll users for certain certificate types. For example, you can change a property of a particular certificate type (e.g., the lifetime or content of an X.509 extension) by issuing a new certificate. To set up superseding templates, click Add on the Superseded Templates tab of the New User Properties dialog box of a Version 2 certificate template. Figure 5 shows the Add Superseded Template dialog box.
Do not automatically reenroll if a duplicate certificate exists in Active Directory is another useful autoenrollment certificate template property that's available under the General tab of a Version 2 certificate template. When you enable this property, autoenrollment won't enroll a user for a certificate if a similar certificate exists in the user's AD object, even if a certificate doesn't exist in My Container in the user's certificate store. The autoenrollment process queries AD to determine whether to enroll the user. This option is useful for users who don't have roaming profiles and who log on to multiple machines. Without this setting, those users would be automatically enrolled for a certificate on every machine they log on to.
Ease of Use
Certificate autoenrollment is a useful feature from a PKI user's point of view. Compared with the feature set of other PKI products on the market, Windows 2003 PKI autoenrollment is a unique feature that gives Windows 2003 an important advantage.